How to Manage Secrets and Passwords with CredentialManager and PowerShell

In this article, I want to focus on a cybersecurity topic but from an operations perspective and with a pragmatic approach to tactics that users can implement to implement the security strategy or principles with less friction as possible from the end-users.

Each one of us every single day use at least multiple secrets, passwords, and identities. Modern applications and services will provide identity management (with or without multifactor authentication) and have a form of role-based access control and implementing the least privilege access.

So when we design IT systems we want to provide the best experience to the end-user minimizing friction and to achieve this ideal single-sign-on via federation services or other forms of integrations.

This is a good way of reducing the number of identities and secrets, but for all isolated systems or roles where permissions are decoupled is common practice still to use multiple accounts. The result is that every user will manage if “lucky” just a handful of different usernames and passwords or if you’re a system administrator having access to different environments that can number can grow to hundreds or potentially thousands of different secrets.

The problem of managing secrets is been already solved by password/secret manager solutions a long time ago. Windows has a built-in solution called Credential Manager, MacOs has KeyChain and there a lot of solutions capable of managing your personal vault of secrets or for your entire organization.

But when we deal with automation or even running scripts unattended it means that we need to get secrets from the users of from password managers and this topic is the one I want to dive because of it’s often not even taken into account.

In this scenario, the first approach will be getting familiar with Credential Manager.  From the GUI you can access Credential Manager from “Control Panel”  and find “Credential Manager”

credentialmanager

and even from the command prompt using cmdkey.exe to list all the saved secrets.  Most users don’t even know or expect that you can list them from the command prompt or add new one.

To view the help

Why Use Credential Manager?

Most applications (IE, Visual Studio IDE, VS Code, etc..) use Credential Manager to store secrets already so whenever you change your password that is the only place where you need to update the secret.

Having a personal, single and central repository is definitely easier to manage compared to multiple places. It’s built-in, free and just works!

How to access Credential Manager with PowerShell?

There is a Powershell Module from the PowerShell gallery that it’s been largely tested and downloaded (with over 500.000 downloads), big thanks to Dave Garnar for putting his time and effort to develop this module, he’s looking for contributors and if you have a look at the code you’ll find out that is most C# and it’s not a wrapper of cmdkey.exe.

How to install Credential Manager Module?

Let’s start with installing the module first and once we open powershell with admin rights, let’s run this command:

How to check if CredentialManager is installed and the new cmd-lets?

The cmd-let included in this new module are basically 3 to Read, Create and Remove secrets from Credential Manager.

Not many users I guess use the Get-StrongPassword cmd-let, but that’s a nice bonus to be able to generate a random password, so you can play this to generate a list of password with a one-liner:

How to check if the Credential for this user (e.g. [email protected]) is already stored

How to add the new Credential to CredentialManager

When can we use this? Give us some examples

  • Depending on your role there are unattended scripts that would be useful to run with other user credentials for testing purposes or simply because your user doesn’t have access to that specific environment for instance test or training environment.
  • If every user in the organization may have a specific account to access with a separate account a different set of resources the automated/scheduled script will look for the credential in credential manager and if defined will try to run with that identity.
  • You can automate password change for some test accounts and store the new secret in the credential manager with a single script on-demand or as a scheduled task.

Wrap up

Having a personal central repository for secrets is very useful and will prevent that users set a simpler / weaker password and avoid the bad habits of sharing the same secret across different accounts or hard-code the secrets in the somewhere in the source code.

In the next article, I will use a centralised secret repository…  so if you’re interested I recommend you to keep an eye on scriptinglibrary.com.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.